To protect your privacy, hand over your data

Since this article was first posted, Alex Pentland at the Massachusetts Institute of Technology’s Human Dynamics Laboratory has asked New Scientist to clarify that although a central database would exist under his proposed scheme, it would contain only anonymised aggregate demographic data. Individuals would maintain ownership and control of their own data, and store it themselves on their own devices or using trusted personal services. Samples or “slices” of this personal data could then be provided to third parties to verify identity as required. This system would place less individual personal data in the hands of third parties.

Verifying your identity generally comes down to entering one “key” that only you can provide – be it a password, credit card number or RFID tag.

That’s not good enough, according to a new proposal, which suggests that our digital identities will be more secure if they rest on reams of data on our everyday life culled from cellphones, online transactions and the like.

Advertisement

The idea comes from Alex Pentland at the Massachusetts Institute of Technology’s Human Dynamics Laboratory. The lab is a pioneer of “reality mining” – studying how people behave by using the crumbs of digital data our every action now produces.

“You are what you do and who you do it with,” says Pentland. Researchers and corporations have realised the potential of such data mining, he points out. “It is already happening and it is time for people to get a stake.”

Personal control

If people gain control of their own personal data mines, rather than allowing them to be built and held by corporations, they could use them not only to prove who they are but also to inform smart recommendation systems, Pentland says.

He recognises that allowing even limited access to detailed logs of your actions may seem scary. But he argues it is safer than relying on key-like codes and numbers, which are vulnerable to theft or forgery.

“It is not feasible for a single organisation to own all this rich identity information,” Pentland says. What he envisages instead is the creation of a central body, supported by a combination of cellphone networks, banks and government bodies.

That bank could provide “slices” of data to third parties that want to check a person’s identity. That information could be much like that required to verify high-level security clearance in government, says Pentland.

Privacy expectations

An individual could also allow their data to be used by services like apps on their smartphone to provide personalised recommendations such as restaurant suggestions or driving directions. This has the potental to be much more powerful than the recommender systems built into services like Netflix and iTunes, and would help familiarise users with the value of the approach, says Pentland.

Getting people to share facets of their rich identity is still likely to be a tough sell. “There will be an incredibly complex matrix of sensitivities and privacy expectations when it comes to managing such data,” says J. Trevor Hughes, executive director of the International Association of Privacy Professionals.

A wide range of things need to be engineered into any such system to make it work, says Hughes&colon; effective public policy, consumer education, sophisticated data security and more.

Pentland says he is addressing such challenges. “I have already been working with the Harvard Law Lab and the World Economic Forum to develop and advocate the idea.” Those two organisations and 70 other industry partners that have expressed an interest will be asked to trial a design for the system currently being finalised.